HIPAA’s focus is aimed squarely at security and
consent. HIPAA assures that you, the
patient, have rights over your healthcare information and sets regulations on
who can acquire and view your information and under what circumstances. The Privacy Rule sets clear standards for the
protection of personal health information.
This protection covers anything a healthcare provider enters in a
medical record, conversations about you between doctors, nurses, etc., and any
other information in the healthcare provider’s computer system including
billing information. HIPAA requires all
personnel involved in any aspect of health information to be trained, written
privacy procedures adopted, and sanctions in place for violations. The penalties for knowingly violating HIPAA
for commercial exploitation can be as steep as a $250,000 fine and 10 years in
prison.
A patient’s health information may only be used for healthcare
and related services. A healthcare
provider cannot, for example, provide a list of patients to a drug company for
marketing purposes. A patient’s
healthcare information may be used for other purposes, such as research, but
only with the patient’s written consent with a full disclosure of what
information will be used. Further, when
health information is released, the minimum amount of information necessary is
all that is permitted. If a law office
requests healthcare information on an individual, only the relevant parts of
that information may be released, such as information specific to an accident
or insurance claim. In the past it was
common to release a patient’s entire chart to a law office when a chart was requested.